Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25896; Tue, 12 Jun 90 06:48:45 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA12991; Tue, 12 Jun 90 06:48:41 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04288; Tue, 12 Jun 90 06:48:26 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa09726; 12 Jun 90 11:15 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:05:40 BST Message-Id: <$TGVTCZHTCBRC at UMPA> Subject: Virus-L vol 0 issue #0801 Virus-L Digest Mon, 1 Aug 88, Volume 0 : Issue #0801 Today's Topics PERFECT VIRUS Re: "Bug" in mailer? Re: interesting statistic Re: Time Bomb Carrier Programs... Re: Legal implications "2600" Quarterly, Summer, 1988 Re: interesting statistic Late Comments ** no subject, date = Mon, 1 Aug 88 13:16:33 EDT ** no subject, date = Mon, 1 Aug 88 13:20:13 EDT Re: "2600" Quarterly, Summer, 1988 ------------------------------ Date: Mon, 1 Aug 88 01:19:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: S9RR@MCGILLB Subject: PERFECT VIRUS Just a hunch I had about that note threatening the advent of the PERFECT virus: might this be about a virus targetting the new WordPerfect 5.0? It seems to me that WP 5.0 is going to be spread around quickly and widely, furnishing a powerful vehicle for a virus. Sound plausible? -------------------- Date: Mon, 1 Aug 88 07:59:04 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: "Bug" in mailer? In-Reply-To: Message of Sat, 30 Jul 88 00:51:49 CST from > Well folks, I'm not sure who to send this to, but since it was to >Loren (LKK0 at LEHIIBM1) this list seems to be as good as any. Apparently, Loren forgot what his e-mail address is when he broadcast it to this list. Loren Keim's address is , not ..@LEHIIBM1. LEHIIBM1 is a CMS system for staff use only here at Lehigh; Loren's account is on LEHIGH since he is not a member of the LUCC staff. Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! -------------------- Date: Mon, 1 Aug 88 10:08:15 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: interesting statistic In-Reply-To: Message of Fri, 29 Jul 88 17:29:00 EDT from > ... says there have already been 250,000 outbreaks. He estimates that >40 of the nation's largest industrial companies have been infected..." Gee, did everybody call? :-) - - Joe M. -------------------- Date: Mon, 1 Aug 88 10:17:24 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: Time Bomb Carrier Programs... In-Reply-To: Message of Sat, 30 Jul 88 18:45:27 EDT from > ... does anyone know of any viruses which are embedded in a program >and are dormant until the program is run (like a trojan horse) or >perhaps are dormant until after a certain date and the program has been >spread around? A malicious virus which does not actively spread until >after a certain date could be really dangerous couldn't it? If the >carrier program were highly desirable (except for the dormant virus), >individuals could spread the virus without knowing it, and it would be >IMPOSSIBLE to detect the dormant virus before the activation date >without actually dissecting the carrier program. Hence the virus >could be passively and undetectably distributed until some date, and >then it could begin to spread actively (and simulataneously) from all >the copies of program wherever they might be. And it would be a while >before the carrier program would be incriminated, because of the delay >between "innoculation" and full-blown infection (like AIDS). Congratulations! You have just described the "incubation period" that the Mac's SCORES virus has :-). It sits around for 4 days before starting to infect applications, and THEN waits another 2 before doing its nasties to the VULT and ERIC applications. --- Joe M. -------------------- Date: Mon, 1 Aug 88 10:27:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Legal implications In-Reply-To: Message of 31 Jul 88 23:10 EDT from "Robert Newberry" Robert Newberry asks: 1. If it is actually legal to start spreading computer diseases. 2. Court decisons on computer disease related cases. Can a victim sue the creator of a virus for loss of important data. In general under common law, that which is not explicitly forbidden is implicilty permitted. Even lying is permitted up to a point. One limit is lying in an attempt to defraud. However, except when it is explicitly restricted in such a way, there is no generic law that could be expected to cover all viruses. I am not aware of any applicable litigation. One should assume that he can be sued for anything. However, the burden of proof is usually on the one bringing suit. He must be able to prove that he was damaged, by the act of another, and that that act was deliberate or, at least, negligent. The proof must be "by a preponderance of the evidence." Proving any of these things by such a test is always difficult. In the case of a virus, it would be very difficult at best. (This information is intended as general information; proper legal counsel should be used to evaluate any case or instance or to guide your behavior.) William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Mon, 1 Aug 88 10:32:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Resent-From: WHMurray@DOCKMASTER.ARPA Comments: Originally-From: WHMurray@DOCKMASTER.ARPA From: WHMurray@DOCKMASTER.ARPA Subject: "2600" Quarterly, Summer, 1988 The current issue of 2600 carries a lengthy article by Ross Greenberg on viruses and FLUSHOT. In it, he uses very colorful language (much of it ripped off from "Dirty Harry" by Ronbo) to describe those who would perpetrate viruses. Of interest is that this article was published by 2600, "The Hacker Quarterly." This publication has promoted its anti-establishment (not to say anarchist) bias and origins. Does their publication of Ross' article suggest that they are maturing and becoming memebers of the establishment that they have so long opposed? Or, does it suggest that hackers are beginning to recognize that they, perhaps more than others, have an interest in honest labelling of programs? Bill William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Mon, 1 Aug 88 11:15:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: interesting statistic In-Reply-To: Message of 29 Jul 88 17:29 EDT from Woody "No one knows how many viruses have been planted. But John D. McAfee, a virus expert at InterPath Corp., a security consulting firm in Santa Clara, Calif., says there have already been 250,000 outbreaks. He estimates that 40 of the nation's largest industrial companies have been infected..." Another quote that I am glad was not attributed to me. He must be counting every execution as an "outbreak." ( I like F. Cohen's 10K estimate better.) I might agree that "low tens" of "institutions" "may have seen" a virus but "40 of the nation's largest industrial companies have been infected..." seems a little strong. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Mon, 1 Aug 88 11:04:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: CEARLEY_K%wizard@VAXF.COLORADO.EDU Subject: Late Comments Re: previous response to why COMMAND.COM was padded with zeros and the answer was to protect from shipping damage!?? A case for linguistic determinism? I don't think media damage would confine itself to that last portion of the program as if treating the zeros as bubble insulates or was that humor? Or is this humor? Tactics... A relatively effective software strategy for an anti-viral program might be to use the timer interrupt. It is done by installing a TSR which implements two functions: 1- When loaded, it intercepts the timer interrupt vector. It then times its own execution and stores this duration with a checksum. This prevents its interrupt from being preempted by using timing dependencies. 2- At 18 times per second, it compares interrupt vectors for modifications, these are flagged and, if restricted, they are disabled. The resolution is somewhat coarse considering the number of machine instructions that can execute between intervals, but it can effectively arrest the destruction of data. *-----------------------------------------------------------------------* | Kent Cearley | "All truth contains its own | | Management Systems | contradiction" | | University of Colorado | | *-----------------------------------------------------------------------* -------------------- Date: Mon, 1 Aug 88 13:16:33 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Robert, I've been looking for laws concerning viruses for some time, and havn't found any. I have located three laws which I will summarize when I have them in front of me. They basically state that it is illegal to enter a computer system that is not their own or that they don't rightly have access to because it's a form of breaking and entering ... if their computer enters it, they are responsible, or if some program they wrote enters it, they are responsible. It is also illegal to read other people 's mail on the system, even if it is your own companies system. And its illegal to change anything on a system which you were not specidfically asked to change by the user, if I remember correctly. As for a Word Perfect virus. I hadn't considered the implications of the word PERFECT (no pun intended). As I remember, some school had writtena letter to this listserv back in Frebrauary (please excuse my typing ... my terminal will not backspace with this machine), about a word perfect virus (Miami?). They were complaining about it being a varient for m of the brain which would attack the program Word Perfect if memory serves. I'll have to look back through my files for it. Also, 250,000 outbreaks is a bit high. If therey are counting number of disks infected, that might be a little low. We had around 600 disk infected at Lehigh alone with the first outbreak of a virus here. Figures of the Israeli virus put it at around 18000 copies found (althou that number counldn't be backed up by anytone.) Loren -------------------- Date: Mon, 1 Aug 88 13:20:13 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Kent, The idea you present makes the microcomputer unusable unless it has multiple motherchips. (Actually, a TSR chip can be added which works like any chip run on interrupts). You cannot implement you idea in software. -------------------- Date: Mon, 1 Aug 88 22:45:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: LYPOWY@UNCAMULT Subject: Re: "2600" Quarterly, Summer, 1988 In-Reply-To: Message of 1 Aug 88 08:32 MDT from "WHMurray at DOCKMASTER.ARPA" I am sending this here because I don't believe I can send mail to WHMurray from here. Could someone please send me some info on 2600 Magazine (in particular subscription information and/or some address where I can request such information). Thanks! Greg Lypowy -------------------- *** end of Virus-L issue ***